Defining Your Assessment Boundary

Once you’ve categorized every asset, you draw the line — this is your CMMC Assessment Scope. Everything inside the line gets assessed (to varying degrees depending on category). Everything outside is Out-of-Scope and not assessed.

The Boundary Includes

Four asset categories are inside the boundary:

• CUI Assets — assessed against all 110 requirements
• Security Protection Assets — assessed against relevant requirements
• Contractor Risk Managed Assets — SSP review with potential limited check
• Specialized Assets — SSP review, may qualify for Enduring Exception

The boundary is not just a line on a network diagram — it’s a defined security domain with controlled entry and exit points. Traffic crossing the boundary should pass through firewalls or other enforcement points. People crossing the boundary should pass through access controls.

---

Documentation Required

You must provide the assessor with three things:

1. Asset inventory — every asset categorized into one of the five categories. The inventory should include: asset name/ID, type (server, workstation, network device, etc.), location, function, and asset category. This is the definitive list of what’s in scope.

2. System Security Plan (SSP) — how each category of asset is treated, how requirements are implemented, and how the boundary is maintained. You don’t embed every individual asset in the SSP — the inventory handles that. The SSP documents how each category is managed.

3. Network diagram — showing the assessment scope visually. CUI Assets, SPAs, CRMAs, Specialized Assets, and Out-of-Scope assets clearly identified. Boundary enforcement points (firewalls, access controls) clearly marked. Data flows showing where CUI moves.

The assessor reviews these documents before arriving on-site. They’re the roadmap for the entire assessment. If they’re inaccurate, incomplete, or contradictory, the assessment starts with findings before the first control is tested.

---

When Do You Need a New Assessment?

Significant changes require a new assessment:

• Network expansions that change the boundary architecture
• Mergers and acquisitions that bring new systems into scope
• Fundamental architecture changes (migrating from on-premises to cloud, or vice versa)
• Changes that alter the CMMC Assessment Scope in ways the existing SSP doesn’t cover

Operational changes within the existing boundary do NOT require a new assessment:

• Adding or removing resources that follow the existing SSP (new hire gets a laptop configured to the baseline, old server decommissioned and replaced)
• Routine hardware refreshes within the same architecture
• Normal staffing changes

These operational changes are covered by your annual affirmation — a yearly confirmation that you still meet the requirements within the existing scope.

To a CEO or Board

Our annual affirmation covers normal changes — new hires, new laptops, server refreshes. We only need a new assessment if we fundamentally change the architecture or merge with another company. Knowing this distinction prevents unnecessary assessment costs.

Don’t Forget

A new assessment means new C3PAO engagement, new costs, and new timeline. Before making a major architectural change, ask: “Does this change our assessment scope in a way our SSP doesn’t cover?” If yes, factor the new assessment into the project budget and timeline.